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Executive Summary 



Executive Summary 



We conduct an annual review of the Statewide Accounting, 
Budgeting and Human Resource System (SABHRS). SABHRS 
provides the State of Montana with an enterprise system for 
managing budget development, financial and human resource 
information. SABHRS is used by all state agencies to account for 
and report the use and disposition of all public money and property 
in accordance with state law. The state has completed its third fiscal 
year-end under the SABHRS system. 

Our objective is to provide reasonable assurance that controls exist to 
ensure data acquired from the agencies (via on-line or electronic 
transmission) is properly processed and recorded, as well as, 
appropriately secured from unauthorized or unnecessary access. 

To ensure whether our control objectives were met, we evaluated 
whether access to data and system processing is controlled, whether 
processing is controlled to allow valid data to process while 
capturing invalid data, and whether system processing additions or 
modifications are tested and controlled. We evaluated system tables, 
processing rules, and reports to determine whether tables contained 
correct data and reports containing processing results are reasonably 
constructed and tested to provide accurate information to users. 

Through interview, observation and review, we evaluated the general 
controls environment over SABHRS, including security access and 
the implementation status of the five prior audit recommendations. 
Three recommendations have been implemented; two 
recommendations related to a comprehensive security plan and 
retention of an audit trail are partially implemented. 

The current report identifies specific control testing performed, the 
testing methodology and the test results. Overall, except as 
discussed in Chapter Three, SABHRS operates as intended and 
processing is in compliance with state statute, applicable law, state 
policies and procedures. 
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We determined SABHRS contained incorrect unemployment 
insurance rates, causing the state agencies to overpay UI by 
approximately $127,000 over the past three years. The result is a 
three-part recommendation to: 

► Acquire and install current UI rates. 

► Work with Department of Revenue to credit UI overpayments to 
the overcharged agencies. 

► Develop procedure to ensure timely updates of rates. 

As discussed in Chapter Two, using the Internet, in six minutes we 
were able to find the information necessary to determine vendor 
password settings allowing us unauthorized access to the production 
database. We identified open access to the intermediary file used for 
the payment file transfer, increasing the risk of unauthorized 
modification. We identified inappropriate security access for 
specific individuals. Upon notification, management implemented 
immediate changes for the issues identified. 
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Introduction 



The Statewide Accounting, Budgeting and Human Resource System 
(SABHRS) is the State of Montana enterprise system for managing 
budget development, financial and human resource information. 
SABHRS is used by all state agencies to account for and report the 
use and disposition of all public money and property in accordance 
with state law. The state of Montana has just completed the third 
fiscal year-end under the SABHRS system. 



SABHRS Finance and 
Human Resource System 
Background 



Currently, the SABHRS Services Bureau (SSB), organized within 
the Department of Administration's Information Technology 
Services Division, is responsible for system maintenance, security 
and management of daily production operations. The Department of 
Administration's State Personnel and Administrative Financial 
Services Divisions operate the SABHRS applications. State agencies 
are responsible for accurately entering their data into SABHRS. 

SABHRS processing is a combination of commercial software and 
customized modifications to meet Montana's needs. SABHRS 
components include three applications, the Finance System (FT) the 
Human Resource Management System (HRMS) and the Montana 
Budget Analysis and Reporting System (MBARS). We did not 
include MBARS in our audit scope because MBARS is the system 
used to develop the budget, while the actual budget is accounted for 
on the Finance Systems. 



FINANCE SYSTEM 

Currently, Montana is operating under version 7 of PeopleSoft 
financials. Finance is its own database and is comprised of five 
modules: Accounts Receivable, Accounts Payable, Purchasing, 
Asset Management, and General Ledger. 

Accounts Receivable processes and records revenue collections and 
aids in the bank reconciliation process. Currently, state personnel 
use this module for maintaining customers, entering items, entering 
payments/deposits, and applying payments. 

The Accounts Payable module manages cash disbursements. 
Accounts Payable integrates with three other modules: General 
Ledger, Asset Management, and Purchasing. In order to create 
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warrants, agencies must enter vouchers or interface payment files 
into the Accounts Payable module. 

The Purchasing module provides automation of the business 
processes for the procurement of goods and services. The primary 
user of this module is the state's General Services Division, Print 
Services Bureau. We did not review the Purchasing module 
functions. 

The Asset Management module accounts for state property. 
Depreciation is calculated and recorded to the appropriate ledger(s) 
in accordance with state policy. 

The General Ledger module stores balance sheet, revenue and 
expenditure activity for agencies while separately identifying agency 
financial activity. Functions include journal entry, budgeting, 
account inquiry, and reporting. 

The state plans to upgrade the financial database in November of 
2003. PeopleSoft Version 8.4 for Finance is a web-based 
application. Users will access the software utilizing an Internet web- 
browser. 

HUMAN RESOURCE MANAGEMENT SYSTEM (HRMS) 

Currently, Montana is operating under version 7.5 of PeopleSoft 
Human Resource Management. HRMS is its own database 
comprised of four modules: Human Resource, Benefits 
Administration, Time and Labor, and Payroll. 

The Human Resource module is the core of HRMS, maintaining all 
state employee personal, job, and employment information. 

The Benefits Administration module defines the eligibility and 
enrollment rules for benefits, such as leave, medical and 
discretionary benefits for each employee. We did not review the 
Benefits Administration module. 

The Time and Labor module processes all employee time entry, 
including electronic time entry, processes to validate time, and leave 
balance information. 

The Payroll module provides real-time data editing and validation 
that contains the batch processes that calculate payroll and create the 
print file. 

Montana plans to upgrade the HRMS modules to version 8.3 by the 
end of the second quarter of 2003. 
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Report Organization 



Audit Objective 



Chapter one of the report provides background information on the 
SABHRS system and the modules comprising the system. This 
report is intended to address the needs of various SABHRS users; 
for example, financial-compliance audit will rely on this work for 
assurance to facilitate their audit processes. Chapter two discusses 
specific general controls, including access rights to system resources, 
and chapter three includes specific application level discussion. 

SABHRS supports the core administrative processes used by all state 
agencies to account for and record the financial and human resource 
data; therefore, we perform an annual review of the SABHRS control 
environment. Our objective is to provide reasonable assurance that 
controls exist to ensure data acquired from state agencies (via on- line 
or electronic transmission) is properly processed and recorded, as 
well as, appropriately secured from unauthorized or unnecessary 
access. 



Audit Scope and 
Methodology 



The audit was conducted in accordance with Government Auditing 
Standards published by the United States General Accounting Office 
(GAO). We evaluated controls using generally accepted information 
technology governance and control practices provided by the GAO 
and the Control Foundation's Control Objectives for Information and 
Technology (COBIT). 



To ensure whether our control objectives were met, we evaluated 
whether access to data and system processing is controlled, whether 
processing is controlled to allow valid data to process while 
capturing invalid data, and whether system processing additions or 
modifications are tested and controlled. We evaluated system tables, 
processing rules, and reports to determine whether tables contained 
correct data and reports containing processing results are reasonably 
constructed and tested to provide accurate information to users. 

Through interview, observation and review, we evaluated the general 
controls environment over SABHRS, including security access and 
the implementation status of the five prior audit recommendations. 
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Prior Audit 
Recommendations 



The previous SABHRS audit report (02DP-02) included five 
recommendations to the department for improving general and 
application controls. We recommended: 



IMPLEMENTED 

► SSB and State Personnel Division define and formally document 
the roles and responsibilities of maintaining HRMS data. 

► SSB continue to document and test a comprehensive disaster 
recovery plan for the SABHRS applications. 

► SSB develop written SABHRS production recovery procedures. 

PARTIALLY IMPLEMENTED 

► SSB develop and implement a comprehensive security plan over 
the SABHRS environment. 



SABHRS security plan is in draft format. SSB staff has made 
progress in developing a plan and are working to integrate 
SABHRS security with the overall plan for information security. 
However, not all elements of the recommendation are addressed. 
United State General Accounting Office and information industry 
best practices state that security plans should include periodic 
management assessments to ensure the plan continues to cover 
new security risks occurring since the plan was developed. Also, 
best practices are that management monitor and tests the plan's 
effectiveness so that weaknesses and oversights can be detected 
and changed. 

► SSB develop and retain audit trails for data and processing 
changes. 

An audit trail does not exist for all SABHRS processes. Audit 
trails provide evidence of successful processing or descriptions 
of the events occurring when processing is unsuccessful. An 
audit trail has the details of who or what caused a problem, the 
changes made to remedy the problem, and the result of the 
changes. Audit trails are critical evidence necessary to determine 
changes are appropriate. SSB staff has developed guidelines 
describing the conditions requiring changes, authorizing access 
for changes, and suggested documentation and review 
requirements. SSB is exploring the possibility that SABHRS 
system tools can provide an audit trail. However, since no 
automated audit trail is being created independent of self- 
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reporting, we determined the prior audit recommendation to be 
partially implemented. 
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Introduction 



General Controls include management developed plans, policies and 
procedures applied to the SABHRS environment to assure controlled 
operation of SABHRS hardware and software. 



Finance and Human 
Resource Database Access 



Finance Database Access 



Overall, except as discussed in chapter three, SABHRS controls exist 
to ensure data is processed and recorded as intended. However, we 
identified inappropriate security access and upon notification, SSB 
implemented immediate changes for the individuals identified. 

Access controls prescribe who has access to what specific system 
resource and also the type of access that is permitted. Our access 
control testing included the following. 

Test : Finance database access is limited to appropriate users. 



Method : Extract finance database access accounts and review for 
blank or generic accounts indicating unidentified users with database 
access. Identify accounts with access to change programs and data. 
Compare accounts to SSB policy to ensure only appropriate staff 
have this access. 

Conclusion : No exceptions noted 

Due Diligence : We identified an active user account for an 
individual who no longer works as a temporary employee for the 
state. We notified SABHRS staff and they appropriately responded 
by working with the agency to promptly deactivate access. 



Test : Accounts Payable access to modify and approve vendor records 
is limited to appropriate users and prevents a person from both 
entering and approving vendor payments. 



Method : Query database to identify users with inappropriate access 
to create a vendor and enter and approve vendor payment. Attempt 
to inappropriately enter and approve payments. 
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Conclusion : No exceptions noted. 

Due Diligence : During our access work, we reviewed standard 
system settings to determine that standard access settings are 
disabled or changed. Unchanged standard settings create a security 
risk to any system because standard setting details are available to 
the public. A knowledgeable person can exploit standard settings to 
gain unauthorized system access and then manipulate the system or 
data. One public source of standard settings is the Internet. We used 
the Internet to search for password information about PeopleSoft 
software settings. In six minutes we found the necessary 
information, allowing us to deduce a password for one of the 
standard settings. We used the password to create our own 
unauthorized access to the SABHRS production database. We 
notified SABHRS personnel and they appropriately responded by 
changing the password. 



Operating System Access Test: SABHRS operating system access and roles are restricted to 

appropriate staff; network and application settings are appropriate; 
and "startup jobs" are controlled and appropriate. 

Method : Extract operating system files and review configuration and 
access details to ensure settings are consistent with best practices and 
SABHRS management description. 

Conclusion : No exceptions noted. 



Test : Database access and roles are restricted to appropriate staff, 
staff changes to the database are monitored, and the database is 
configured to ensure recovery. 

Method : Extract database table contents and review staff and public 
access administrative roles and privileges; extract audit logs and 
review entries for staff changes to the database; and extract the 
database initiation file and review for active recovery settings. 
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Conclusion : No exceptions noted. 



Test : Access to UNIX and mainframe directories are restricted to 
appropriate individuals. Files that create state warrants are moved 
from the UNIX and mainframe directories after processing thereby 
preventing inadvertent duplication of payments. 

Method : Extract user identifications with access to specific 
mainframe directories. Confirm user identifications are for 
individuals having responsibilities needing access. Observe warrant 
file management. 

Conclusion : No exceptions noted. 

Due Diligence : During our directory work, we identified an 
intermediary directory used for file transfer that was open to all 
operating system users. Since this directory is used for the payment 
file transfer, unauthorized users could create and insert their own 
warrant file or modify existing warrant files for creating warrants. 
We notified ITSD staff of the open access and they responded 
appropriately to restrict access to those individuals with 
responsibility for file transfer. In addition, ITSD staff performed a 
directory access review to ensure existing access is appropriate for 
additional directories. 



HRMS Access Test : Only employees with State Personnel Division (SPD) written 

approval are granted HRMS access to update their own employment 
data files. 

Method : Query the HR database to identify individuals having access 
authority to update their own records and ensure exception is in 
accordance with SABHRS security plan. 

Conclusion : We identified eleven individuals with access to update 
their own payroll records; however, four individuals do not have the 
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required exception documentation granting them access to update 
their own records. 

Discussion : Both the SABHRS Security Plan and the SPD 
instructions memo discourage allowing an employee the access to 
update their time records. However, both documents state that there 
are circumstances where an agency can request an individual be 
granted the ability to update their own records. Agency 
administrators must be willing to accept the risk associated with this 
access and must document accepting the risk. When that is the case, 
both SSB staff and SPD will allow the control to be suspended and 
will grant access permitting the individual the ability to enter and 
approve their time. 

Due Diligence : We identified three terminated state employees who 
have access to SABHRS HRMS, with the ability to add an employee, 
enter, and approve time. We notified SABHRS personnel of the 
active access and they appropriately responded by working with the 
agency to terminate access. 



Test : Access to the HRMS earnings table, holding the pay rates for 
all positions in state government, is restricted to appropriate 
individuals. 

Method : Identify the operator classes having authority to modify the 
earnings table. Query the database to capture the users with operator 
classes capable of modifying the earnings table. Confirm users are 
limited to the appropriate SSB and State Personnel Division staff. 

Conclusion : No exceptions noted. 
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Overall Processing 



Asset Management 



Overall, except as discussed below, SABHRS controls exist to 
ensure data is processed and recorded as intended. To substantiate 
processing of operations, we performed the following audit tests. 

SABHRS Asset Management module maintains records of certain 
property acquired by the state. State policy requires agencies to 
calculate and record depreciation for assets that exceed certain 
threshold amounts. Testing included examining existing processes 
and changes due to new accounting requirements to ensure 
depreciation is calculated and recorded to the appropriate ledgers. 



Test : Asset Management system modifications and records 
converted from prior SABHRS accounts and funds to new funds and 
accounts. 

Method : Extract and review changes to Asset Management database 
processes and records to confirm changes are consistent with 
Accounting Bureau instructions and SABHRS management 
documentation. 

Conclusion : No exceptions noted. 



Test : Asset Management operates with the correct asset categories 
and definitions provided by Accounting Bureau. 

Method : Extract the profile identifications and category definitions 
from the database and verify they are consistent with Accounting 
Bureau profiles and categories. 

Conclusion : No exceptions noted. 



Test : Asset Management accurately calculates depreciation. 
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Method : Extract the capitalization threshold amounts from the 
database and verify the amounts are consistent with state policy. 

Conclusion : SABHRS cannot recognize multiple dollar threshold 
amounts for asset categories set by state policy. 

Discussion : Depending on the asset category and the asset purchase 
amount, state policy requires certain assets to be expensed at the time 
of purchase or capitalized as a depreciable asset. Generally, assets 
costing less than $5,000, building improvements costing less than 
$25,000, or infrastructure costing less than $500,000 are expensed. 
Assets costing more than these thresholds are capitalized. The 
current version of SABHRS can only account for one threshold 
amount for capitalizing assets and one threshold amount for 
expensing assets. As a result, SABHRS information users should be 
aware that no SABHRS control exists to enforce state policy for 
asset categories minimum or maximum amounts. The responsibility 
and control over properly classifying assets exist at the agency level. 
To assist agency personnel, SABHRS does have reports available to 
monitor asset activity so they can ensure assets properly post to 
Asset Management and General Ledger Accounts. 

Due Diligence : We extracted and reviewed asset transactions to 
determine if assets costing more than $5,000 were being expensed. 
There were 437 transactions in excess of the general $5,000 
threshold for capital items. We identified 27 transactions where 
asset costs were inconsistent with capitalization thresholds, and 58 
transactions where transaction details did not agree with asset 
categories. We notified Accounting Bureau and they appropriately 
responded by investigating the transactions with the agencies. 



Test : Asset Management transactions are recorded in the appropriate 
General Ledger accounts. 
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Method : Identify and extract Asset Management posting rules from 
the SABHRS database and confirm rules are consistent with 
Accounting Bureau instructions. 

Conclusion : No exceptions noted. 



Accounts Payable The Accounts Payable module manages cash disbursement 

transactions. In order to create non-payroll warrants, agencies must 
enter vouchers or interface payment files into Accounts Payable. 

Test : Validation edits exist and are applied prior to SABHRS 
accepting the data. 

Method : Try to defeat the validation edits by creating on- line 
changes in voucher and vendor records. 

Conclusion : No exceptions noted. 



Test : Each SABHRS vendor identification number is unique. 

Method : Query the SABHRS database to locate duplicate vendor 
identification numbers. 

Conclusion : No exceptions noted. 



Test : SABHRS has required data fields to ensure all vendor records 
are complete. 

Method : Query the SABHRS database for required fields that are 
empty. 

Conclusion : No exceptions noted. 
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Test : Inbound Accounts Payable files are screened for valid data. 

Method : Extract and review code containing screening instructions 
to ensure duplicate files are not accepted for processing; file is 
formatted correctly, control totals are present; lines balance; and 
payment is greater than $0 before accepting the file for SABHRS 
processing. 

Conclusion : No exceptions noted. 



Test : Payments are posting to the General Ledger. 

Method : Extract modifications to PeopleSoft instructions for posting 
to ensure modifications do not affect validity of posting. 

Conclusion : No exceptions noted. 



Test : Voucher Status Report, Vendor Changes Report and voucher 
validation exception reports are operating to capture and provide 
error and change details. 

Method : Examine processing instructions, verify data sources and 
resulting reports. Create online changes to vendor records and 
review the report to confirm vendor changes were captured. 

Conclusion : Vendor Changes Report did not capture changes made 
to vendor names. 

Discussion : The Vendor Changes Report acts as an audit log to 
identify changes to vendor names and addresses. The report is 
available for agency personnel to monitor changes. The report had 
not been capturing vendor name changes since February 2001, when 
a software upgrade overwrote the file. Upon notification, SSB 
personnel corrected the program instructions. 
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General Ledger The General Ledger is the primary set of financial records for the 

state. General Ledger testing included examining existing processes 
and changes since the prior audit to information inputs, processing 
instructions and the resulting activity reports. 

Test : Identify changes to General Ledger journal input sources and 
controls. 

Method : Extract the active journal sources from the finance database 
and identify journal sources added since the prior audit. Review 
input process to identify controls. 

Conclusion : One additional source was identified. 

Discussion : IMPORT is a General Ledger journal source added since 
the prior audit. An "input source" identifies the point in SABHRS 
that the transaction originated. The source is key for General Ledger 
reporting purposes, as it also identifies transactions from other 
modules or systems. SSB authorizes agency staff to use IMPORT as 
a source for General Ledger processing when agencies create 
numerous and repetitive journal entries. While authority to load files 
is restricted, anyone can create the transaction file to be loaded for 
SABHRS processing. Therefore, the control over IMPORT file 
creation and contents exists not with SABHRS but at the agency. 



Test : General Ledger processes are operating as described by 
SABHRS management. 

Method : Extract the processing instructions to validate database 
references and confirm the program instructions are consistent with 
SABHRS management description. Validate the Entity wide Trial 
Balance by querying the finance database and comparing the 
resulting fund and account activity and balances to the Entitywide 
Trial Balance fund and account activity and balances. 
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Conclusion : No exceptions noted. 

Discussion : GASB 34 is a recent change in accounting principle. 
The SABHRS Entitywide Trial Balance is a new report created to 
provide SABHRS users with a means of monitoring GASB 34 
transactions. 



Test : Non43udgeted transaction fields are validated before posting to 
the General Ledger. 

Method : Extract General Ledger posting rules and confirm data 
validation applies to SABHRS non43udgeted transactions. 

Conclusion : No exceptions noted. 

Discussion : SABHRS information users should be aware that in 
certain uncommon circumstances SABHRS will not prevent non- 
budgeted transactions from posting with improper budget details. 
SABHRS rules ensure that budgeted and non43udgeted transaction 
data are validated before posting to the General Ledger. However, 
budgeted and non- budgeted data are treated differently in that 
budgeted data is validated against an agency's budget rules. Since 
non43udgeted data bypass these additional checks, budgeted data 
erroneously included in the transaction will not be checked against 
an agency's rules and will post to the General Ledger. The 
responsibility and control for creating and approving an accurate 
transaction exists at the agency level. To assist agency personnel, 
SABHRS does have reports available that agency personnel 
responsible for monitoring budgeted and non43udgeted transaction 
activities, can use to ensure transactions properly post to the General 
Ledger. Beginning in August 2002, non43udgeted transactions are 
linked to the agency to limit transactions posting with improper 
details. 
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Time and Labor 



The Time and Labor module processes time entered by or on behalf 
of employees. The state uses an internal network (intranet) for those 
agencies currently participating, for online time entry. 



Test : Intranet web-based time entry controls operate to prevent 
employees from altering their time reporting once a supervisor has 
approved their time report. 

Method : Extract the instructions that operate the state's web-based 
time reporting process. Review instructions to identify existing 
controls that prevent an employee from altering entries to their 
timesheet once it has been submitted for supervisor approval. 
Observe an attempt to change reported time and ensure supervisor 
review is required prior to change in time reported. 



Payroll 



Conclusion : No exceptions noted. 

The Payroll module functionality provides real-time data editing and 
validation to ensure accuracy of payroll. 



Test : Payroll posting is complete and accurate. 

Method : Extract and review SSB modifications to the PeopleSoft 
processing instructions for posting payroll to the General Ledger. 
Confirm modifications are consistent with the operation and 
management understanding of the posting process. 

Conclusion : No exceptions noted. 



Test : Ensure database tables contain the correct contribution rates for 
Unemployment Insurance (UI), Worker's Compensation, and state 
retirement systems. 



Method : Extract UI contribution rates, retirement system rates and 
worker's compensation rates. Compare database rates with state 
statute or state agency responsible for administering the rates. 
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Conclusion : SABHRS Human Resource (HR) database contains 
incorrect UI rates. 

Discussion : SABHRS HR calculates employer payroll contributions 
for state agencies. UI is one type of employer contribution 
calculation performed for each two- week pay period. The accuracy 
of the calculation process is dependent on referencing to correct rates 
in the HR database. UI contribution rates for employers can change 
and are usually updated annually. Department of Revenue is 
responsible for providing employers, including the State Personnel 
Division (SPD), with current UI rates. SPD notifies appropriate 
SABHRS staff to install the current rates in the database. SPD 
personnel stated the Department of Revenue did not notify them of 
any rate changes for fiscal years 2001, 2002, or 2003. Therefore, the 
UI tax rates have not been updated in SABHRS since fiscal year 
2001. 

Effect : Department of Administration, State Personnel Division, 
personnel said that state agencies overpaid UI by approximately 
$127,000 over the past three years. 



Recommendation #1 



We recommend: 

A. State Personnel Division acquire the current UI rates 
from Department of Revenue and direct SABHRS staff to 
install these rates. 

B. State Personnel Division work with Department of 
Revenue to credit UI overpayments to the overcharged 
agencies. 

C. State Personnel Division develop a procedure to ensure 
timely updates of employer payroll contribution rates. 



Test : HR retirement contribution reports pull data from the correct 
sources. 
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Chapter III - Assurance Over Operations 



Method : Review HR retirement contributions report instructions and 
interview SSB HR programmer to confirm that proper database 
information and periods are being accessed for retirement system 
reporting. Note: HR Retirements Reports are generated based on date 
paid or date of paycheck; instead of pay period end date or date the 
leave was earned. 

Conclusion : No exceptions noted. 



Test : Leave Balance Liability Reports are accurate. 

Method : Extract Fiscal Leave Taken and Leave Liability reports and 
review SABHRS processing instructions. 

Conclusion : No exceptions noted. 



-END OF REPORT- 
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Department Response 
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DEPARTMENT OF ADMINISTRATION 
DIRECTOR'S OFFICE 

JUDY MARTZ, GOVERNOR MITCHELL BUILDING 



STATE OF MONTANA 1 



(406) 444-2032 PO BOX 200101 

FAX 444-2812 HELENA, MONTANA 59620-0101 



November 25, 2002 f~- " - -- , ■- ■■ r> 

Mr. Scott A. Seacat, Legislative Auditor ': ' , 

Legislative Audit Division 

PO Box 201705, State Capitol '" " ^ b-.-J. 

Helena, Montana 59620-1705 

Dear Mr. Seacat: 

We have reviewed the recommendations pertaining to the Statewide Accounting, 
Budgeting and Human Resource System (SABHRS) audit conducted for the fiscal year 
ended June 30, 2002. Our response to the recommendations follows. 

RECOMMENDATION #1 : 

A. WE RECOMMEND THE STATE PERSONNEL DIVISION ACQUIRE THE 
CURRENT Ul RATES FROM DEPARTMENT OF REVENUE AND DIRECT 
SABHRS STAFF TO INSTALL THESE RATES. 

B. WE RECOMMEND THE STATE PERSONNEL DIVISION WORK WITH 
DEPARTMENT OF REVENUE TO CREDIT OVERPAYMENTS TO THE 
OVERCHARGED AGENCIES. 

C. WE RECOMMEND THE STATE PERSONNEL DIVISION DEVELOP AN 
EFFECTIVE PROCEDURE TO ENSURE TIMELY UPDATES OF EMPLOYER 
PAYROLL CONTRIBUTION RATES. 

Response: 

We concur. The State Personnel Division has installed current Ul rates, and is working 
with the Department of Revenue to ensure that overpayments are properly credited to 
the agencies. The Division has implemented new procedures that will ensure timely 
updates of employer payroll contribution rates. 

We thank you and your staff for conducting the audit in a professional manner. 

Sincerely, 

.-/ 

SCOTT DARKENWALD 

Director page A-3 

"AN EQUAL OPPORTUNITY EMPLOYER" 




